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Abstract.  A  challenge  in  resource-constrained  sensor  networks  is  to 
provide  secure  communication  in  an  efficient  manner,  even  in  the 
presence  of  denial-of-service  attacks.  In  this  paper,  we  present  a 
simple  protocol  for  secret  maintenance  between  a  pair  of  network 
neighbors.  We  prove  that  Dolev-Yao  adversaries  cannot  compromise 
the  current  secret  shared  by  the  neighbors,  nor  can  they  cause  the 
neighbors  to  unduly  waste  resources.  Moreover,  we  show  that  if  the 
current  secret  between  the  pair  is  somehow  disclosed,  previous 
secrets  are  not  compromised  nor  can  future  secrets  be  compromised. 
Finally,  we  propose  several  ways  of  bootstrapping  the  initial  secrets 
of  the  neighbors. 
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1.  Introduction 


A  basic  step  in  providing  secure  communication  in  a  network  despite  the  activity 
of  intruders  is  to  empower  authentic  network  entities  with  secrets.  In  this  paper  we 
address  the  problem  of  establishing  and  in  particular  maintaining  secrets  in  sensor 
networks. 

Desired  properties  of  secret  establishment  and  maintenance  in  sensor  networks 
are  forward  secrecy,  backward  secrecy,  scalability,  tolerance  to  loss  of 
synchronization,  tolerance  to  state  corruption  of  the  entities,  and  tolerance  to 
denial-of-service  attacks.  Forward  secrecy  means  that  compromise  of  the  current 
session  key2  does  not  imply  compromise  of  future  session  keys.  Backward  secrecy 
means  that  compromise  of  the  current  session  key  does  not  imply  compromise  of 
past  session  keys.  The  issue  of  scalability  is  of  primary  concern  as  sensor  network 
offer  the  opportunity  to  deploy  a  large  number  of  low  powered  devices  as  opposed 
to  a  small  number  of  high  powered  devices.  Lack  of  manual  configuration  and  the 
high  frequency  of  faults  motivate  the  need  for  tolerances.  And  withstanding 
denial-of-service  attacks,  which  try  to  unduly  waste  resources  of  sensor  nodes,  is 
crucial  in  determining  the  lifetime  of  the  network. 

Extant  protocols  such  as  Diffie-Hellman  key  agreement  [3]  and  ones  using 
asymmetric  cryptography  that  deal  with  secret  establishment  and  exchange 
involve  operations  such  as  exponentiation  and  multiplication,  which  consume  a  lot 
of  computational  power,  memory  and  energy.  Hence  these  solutions  are  not 
suitable  for  sensor  nodes  that  have  limited  resources.  An  exception  is  SPINS  [14], 
which  as  discussed  in  Section  9,  does  not  handle  denial-of-service  attacks.  The 
contribution  of  this  paper  is  to  present  “ Whisper ”,  a  protocol  with  the  above 
mentioned  properties. 

Overview  of  Whisper  Whisper  limits  its  use  of  cryptographic  constructs  to 
one-way  (pre-image  resistant)  hash  functions,  which  can  be  computed  efficiently. 
The  protocol  is  thus  suitable  for  execution  on  resource  constrained  sensor  nodes. 
To  provide  forward  secrecy,  we  derive  each  session  key  from  two  distinct 
“key-parts”  known  only  to  the  two  neighboring  principals  sharing  the  session  key. 
To  move  to  their  next  session,  they  chose  their  new  key-parts,  encrypt  these  new 
key-parts  using  their  previous  key-parts,  and  exchange  the  encrypted  new 
key-parts  in  a  predetermined  order.  To  assure  that  compromise  of  the  current  key 
does  not  reveal  the  current  key-parts,  the  function  selected  to  compute  the  key 
from  the  two  key-parts  is  one-way.  (This  approach  may  be  contrasted  to  extant 
solutions  that  use  long  term  keys  to  update  session  keys,  under  the  assumption  that 
long  term  keys  are  secure.) 

More  precisely,  secret  maintenance  in  Whisper  proceeds  as  follows.  Let  A  and 
B  be  two  neighboring  principals  that  share  a  key.  Principal  A’s  key-parts  are 
stored  in  an  array  XA  and  those  of  principal  B  in  YB.  A  and  B  know  the  two 
key-parts  XA[i-lJ  and  YB[i-l]  of  the  key  CAB[i-lJ  at  the  end  of  (i-l)th  session  of 


2  Key  and  Secret  are  used  interchangeably  in  this  paper.  Both  have  the  same  meaning. 
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the  protocol,  as  described  in  Table  1.  To  update  the  key,  A  sends  a  request  to  B 
which  contains  one  key-part  (XA[i])  for  the  new  secret,  obscured  with  XA[i-l]  and 
authenticated  using  CAs[i- 1 J  -  B  can  retrieve  XA[i]  as  it  knows  XA[i-l]  and  it  can 
verify  the  authenticity  of  the  message  since  it  knows  CAB[i-lJ.  B  then  responds  by 
contributing  the  second  key-part  (YB[i])  for  the  new  secret,  obscured  with  YB[i-lJ 
and  authenticated  using  the  new  secret  (CAB[i])  which  it  computes  by  using  XA[i] 
and  YB[i].  After  receiving  B’s  reply,  A  can  retrieve  Y B[i]  as  it  knows  YB[i-l]  and 
it  can  compute  CAB[i],  which  it  also  uses  to  verify  the  authenticity  of  the  message. 


Table  1.  Secret  Update 


Session 

1st  part 

2nd  part 

secret 

i-1 

XA[i-l] 

YB[i-l] 

CAB[i-l]  =/(XA[i-l],  YB[i-l]) 

I 

XA[i] 

YB[i] 

CAB[iJ  =/(XA[i],  YB[iJ) 

We  summarize  the  protocol  below,  h  is  a  one-way  hash  function. /is  also  a  one¬ 
way  function,  which  enables  forward  secrecy.  Function  rand  returns  a  positive 
random  integer. 

A  — »  B  :  XA[i]  +  h  (XA[i- 1  ],  B),  h  (CAB[i- 1],  XA[i]) 

B  — >  A  :  YB[i]  +  /i(YB[i-l],  A),  /;  (CAB[i],  YB[i]) 

where  XA[i]  =  rand( )  ;  Y H[i]  =  rand( )  ;  CAB[i]  =/(XA[i],  YB[i]) 

Organization  of  the  paper  In  Section  2,  we  describe  the  network,  intruder  and 
fault  model  that  we  consider  in  this  paper.  In  Section  3,  we  give  a  brief 
introduction  to  the  Abstract  Protocol  Notation  (APN)  [6]  and  recall  definitions  of 
security  concepts.  We  formalize  Whisper  in  APN  in  Section  4.  In  Section  5,  we 
give  formal  proofs  of  the  security  and  fault-tolerance  properties  of  Whisper. 
Section  6  proposes  a  variety  of  ways  to  bootstrap  the  initial  secrets  in  the  sensor 
nodes.  Given  the  importance  of  defending  against  denial-of-service  attacks  in  the 
resource  constrained  environments,  we  extend  the  protocol  by  adding  a  notion  of 
count  in  Section  7.  In  Section  8,  we  discuss  related  work  and  make  concluding 
remarks. 


2.  System  Model 

2.1  Network  Model 

The  network  consists  of  sensor  nodes  that  are  small  battery  powered  devices 
which  may  communicate  with  each  other  and  with  a  more  powerful  base  station. 
In  turn,  the  base  station  may  be  connected  to  an  outside  network.  By  design, 
sensor  nodes  are  inexpensive  and  have  limited  computational  and 
communicational  resources.  Communication  is  radio  based  and  is  an  energy- 
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consuming  function  for  these  nodes.  Each  principal  has  a  unique  ID  and  shares  a 
secret  with  the  base  station.  For  simplicity  we  assume  that  each  non-malicious 
node  represents  a  unique  principal. 


2.2  Intruder  Model 

The  intruder  model  assumed  here  is  the  one  proposed  by  Dolev-Yao  [4]. 
Informally,  all  the  communication  channels  are  accessible  to  an  intruder  for 
reading  and  writing.  The  intruder  can  also  intercept  the  messages,  store  them  in 
encrypted  and  decrypted  form  (in  case  it  knows  the  keys),  and  construct  messages 
using  the  stored  and  known  values.  An  intruder  can  be  a  malicious  node  in  the 
network  and  hence  can  engage  in  sessions  with  other  neighboring  nodes. 

The  primitive  data  types  that  may  occur  in  any  message  are  IDs  of  the  processes 
and  keys.  Compound  fields  are  constructed  by  concatenation  and  hashing.  The 
concatenation  of  fields  X  and  Y  is  the  field  (X,Y).  The  hash  of  a  field  X  is  h(X). 
The  sets  of  primitive  data  types  and  compound  field  are  disjoint.  Formally,  the 
fundamental  operations  on  a  set  S  of  message  fields  that  are  possible  for  an 
intruder  are  parts(S),  analz(S)  and  synth(S)  as  defined  by  Paulson  [12].  Briefly, 
parts(S)  is  the  set  of  all  the  subfields  of  fields  in  the  set  S,  including  components 
of  concatenations  and  the  plaintext  of  encryptions  (but  not  the  secret  keys). 
analz(S)  is  the  subset  of  parts(S)  consisting  of  only  those  subfields  that  are 
accessible  to  an  intruder.  These  include  components  of  concatenations  and  the 
plaintext  of  those  encryptions  where  the  secret  key  is  in  analz(S).  Finally,  synth(S) 
is  the  set  of  fields  constructible  from  S  by  concatenation  and  encryption  using 
fields  and  keys  in  S.  We  use  the  following  two  results  from  [12]: 

•  The  set  transformers  parts(S).  analz(S),  and  syntli(S)  are  closure  operators 

•  Th efake(S)  operator  models  an  intruder 

fake(  S)  =  synth{analz{  S)) 

We  do  not  consider  the  jamming  of  radio  channel  with  a  strong  signal  in  this 
paper. 


2.3  Fault  Model 

In  addition  to  the  faults  captured  by  the  intruder  model  above,  there  are  corruption 
faults  that  corrupt  the  values  of  variables  in  the  volatile  memory  of  a  sensor  node. 
These  faults  result  in  garbage  values  in  the  corrupted  variables. 
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3.  Programming  Notation  &  Concepts 


3.1  Abstract  Protocol  Notation  Syntax 

In  this  section,  we  briefly  recall  APN.  In  this  notation,  each  process  in  a  protocol 
is  defined  by  a  set  of  constants,  a  set  of  variables  and  a  set  of  actions.  Let  A  be  a 
process  in  a  protocol.  The  variables  of  process  A  can  be  read  and  updated  by  the 
actions  of  process  A.  Each  (action)  has  a  unique  name  and  is  of  the  form: 

(name)  : :  (guard)  — >  (statement) 

The  guard  of  an  action  of  A  has  one  of  the  following  three  forms:  a  boolean 
expression  over  the  constants  and  variables  of  A,  a  receive  guard  of  the  form  rev 
(message)  from  B  where  B  is  another  process,  or  a  timeout  guard  that  contains  a 
boolean  expression  over  the  constants  and  variables  of  every  process  and  the 
contents  of  the  channels  in  the  protocol. 

Executing  an  action  consists  of  executing  all  the  statements  of  this  action 
atomically.  Executing  the  actions  of  different  processes  in  a  protocol  proceeds 
according  to  the  following  three  rules.  First,  an  action  is  executed  only  when  its 
guard  is  true.  Second,  the  actions  in  a  protocol  are  executed  one  at  a  time.  Third, 
an  action  whose  guard  is  continuously  true  is  executed  eventually. 

The  (statement)  of  an  action  of  process  A  is  a  sequence  of  (skip),  (assignment), 
(send),  (receive)  or  (selection)  statements  of  the  following  forms: 

(skip)  :  skip 

(assignment)  :  (variable  in  A)  :=  (expression) 

(send)  :  send  (message)  to  B 

(receive)  :  rev  (message)  from  B 

(selection)  :  if  (boolean  expression)  — » (statement) 

[]  (boolean  expression)  — » (statement) 

ft 

Executing  an  action  of  process  A  can  cause  a  message  to  be  sent  to  process  B.  We 
model  the  broadcast  radio-based  communication  by  two  channels  between  two 
processes:  one  is  from  A  to  B,  and  the  other  one  is  from  B  to  A.  Each  sent  message 
sent  from  A  to  B  remains  in  the  channel  from  A  to  B  until  it  is  eventually  received 
by  process  B  or  is  lost.  Messages  that  reside  simultaneously  in  a  channel  form  a 
set  and  so  they  are  received  or  lost,  one  at  a  time,  in  any  order  and  not  necessarily 
in  the  same  order  in  which  they  are  sent. 


3.2  Semantics 

Let  p  be  a  protocol.  A  state  of  p  is  defined  by  a  value  for  each  variable  of  p, 
chosen  from  the  predefined  domain  of  the  variable.  A  state  predicate  of  p  is  a 
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boolean  expression  over  the  variables  of  p.  An  action  of  p  is  enabled  in  a  state  iff 
its  guard  (state  predicate)  evaluates  to  true  in  that  state. 

Let  ,v  and  s'  be  the  two  states  of  p.  (s,s)  is  called  a  state  transition  of  p  iff  there 
exists  an  action  (guard)  — >  (statement)  such  that  (s  a  guard)  holds  and  after 
executing  statement  s'  holds.  <si,S2,S3,...,sn-i,s„>  is  called  a  state  sequence  of  a 
protocol  p  iff  Vi:  1  <  i  <  n- 1:  (s, •,$,■+ 7)  is  a  state  transition  of  p.  A  state  sequence 
<si,S2,si,...,sn-i,sn>  is  called  a  computation  of p  iff  .v  1  is  a  starting  state  of  p. 

Let  S  he  a  state  predicate  of  p.  S  is  closed  in  p  iff  for  each  action  (guard)  — > 
(statement)  in  p,  executing  statement  starting  from  a  state  where  (S  a  guard)  holds 
results  in  a  state  where  S  holds.  S  is  an  invariant  of  p  iff  S  is  true  at  all  the  initial 
states  of  p  and  S  is  closed  in  p. 

Let  us  partition  the  variables  of  p  into  C  (for  “critical”  variables)  and  NC  (for 
“non-critical”  variables);  as  these  names  suggest,  the  sequence  of  changes  on  the 
critical  variables  is  material  for  correctness,  the  changes  on  the  non-critical 
variables  are  not.  In  other  words,  SPEC ,  the  specification  that  p  satisfies,  depends 
only  on  C. 

Let  s  be  a  state  of  p.  Let  v  be  a  subset  of  the  variables  of  p.  si,,  is  a  set  of  states  of 
p  with  the  same  values  for  each  variable  in  v. 


3.3  Definition  of  Security 

In  this  paper,  we  use  the  concepts  of  closure,  convergence  and  protection  [7]  to 
explain  and  verify  the  security  properties  of  interest.  Let  SPEC  be  a  system 
specification  describing  the  allowed  computations  of  the  system  in  the  absence  of 
any  intruder  and  fault  actions.  Intuitively,  speaking,  for  a  system  to  be  secure, 
certain  “critical  system  variables”  identified  in  SPEC  must  be  protected;  that  is, 
modifications  on  these  variables  must  be  the  same  whether  or  not  any  intruder  or 
fault  actions  occur.  In  other  words,  any  mismatching  state  transition  on  the  critical 
variables  in  the  absence  and  the  presence  of  an  intruder  or  faults  implies  violation 
of  the  SPEC  for  that  intruder  and  fault  model. 

More  specifically,  given  a  protocol  that  satisfies  SPEC,  the  states  reached  by 
the  system  in  the  absence  of  any  intruder  or  fault  actions  satisfy  an  “invariant” 
state  predicate.  Also,  the  states  reached  by  the  system  in  the  presence  of  the 
intruder  and  fault  actions  satisfy  a  potentially  weaker  invariant,  which  we  call  the 
“fault  span”.  Our  approach  to  protection  is  to  establish  that  for  every  state 
transition  on  critical  variables  in  the  fault  span  states,  the  same  state  transition 
exists  in  the  invariant  states. 

Formally,  let  S  be  a  closed  state  predicate  of  protocol  p  and  F  be  a  set  of  actions 
of  an  intruder.  We  say  p  is  /'’-secure  for  SPEC  in  C  from  S  iff  there  exists  a  state 
predicate  T  that  satisfies  the  following  conditions: 

•  S  is  true  at  any  of  the  initial  states  of  p. 

•  At  any  state  where  S  is  true,  T  is  also  true.  (In  other  words,  S  =>  T) 
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•  Starting  from  any  state  where  T  is  true,  if  any  action  in  p  or  F  is  executed, 
the  resulting  state  is  also  one  where  T  is  true.  (In  other  words,  T  is  closed 
in  p  and  T  is  closed  in  F) 

•  For  any  state  t  where  T  is  true  and  any  action  of  p  or  F  that  whose 
execution  in  that  state  changes  the  values  assigned  to  one  or  more  C 
variables,  if  there  exists  a  state  s  in  S  such  that  t\c  =  sic.  then  there  exists 
an  action  of  p  which  yields  the  same  change  of  values  to  the  C  variables 
from  s  (the  values  of  the  NC  variables  may  be  different  in  the  witness 
step).  (In  other  words,  the  critical  variables  C  are  protected  inside  the  state 
predicate  T.) 

Should  we  wish  liveness  in  the  presence  of  an  intruder,  we  add  one  more  clause 
to  the  definition  above 

•  Starting  from  any  state  where  T  is  true,  every  computation  of  p  alone 
eventually  reaches  a  state  where  S  is  true. 

Our  work  can  be  regarded  as  invariant  based  approach  using  forward  search,  in 
Meadows’  classification  of  formal  methods  in  cryptographic  protocol  analysis 
[11].  Our  approach  is  related  to  that  of  Paulson’s  [13]  and  Cohen’s  [2].  The 
essential  difference  between  our  approach  and  theirs  is  that  we  limit  the 
verification  check  of  protection  condition  to  the  critical  variables  of  the  system. 


4.  The  Protocol  in  Abstract  Protocol  Notation 

In  this  section,  we  formalize  Whisper  as  outlined  in  Section  1  using  Abstract 
Protocol  Notation.  Process  A  has  arrays  Xa  and  XB  for  storing  key-parts. 
Similarly  process  B  has  variables  YA  and  YB.  A’s  key-parts  are  stored  in  XA  in 
process  A  and  in  YA  in  process  B.  Similarly  B’s  key-parts  are  stored  in  XB  in 
process  A  and  in  YB  in  process  B.  For  optimization,  processes  A  and  B  cache  the 
computed  secrets  in  arrays  CAB  and  CBA.  For  all  i  >  0,  CAB[i]  =/(XA[i],  XB[i])  and 
CBA[i]  =/(YA[i],  YB[i]).  (We  later  prove  in  Corollary  1.1  that  (XA[iJ  =  YA[i])  a 
(XB[ij  =  YB[i]);  hence  C^i]  =  CBA[i].) 

process  A 
inp  CA :  integer 

var  k,  n,  iA,  hXA,  tempXB,  tempCAB :  integer,  [initially,  iA  =  1 } 

XA,  XB,  CAB :  array  [integer]  of  integer 
[initially,  XA[i]=XB[i]=CAB[i]=  1  for  all  i  £  iA] 

begin 

Ao  ::  (XA[iA]  =  1  a  XB[iA]  =  X)  — »  XA[iA]  :=  rand( ); 

hXA  :=/i(CAB[iA-l],XA[iA]); 
send  m0(XA[iA]  +  /i(XA[iA-l],B),hXA)  to  B 
[]  Aj  ::  rev  mi(k,n)  from  B  — >  tempXB  :=  k  -  /;(XB[iA-l],A); 

tempC/uj  :=/(XA[iA],  tempXB); 
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if(/!(tempCAB,tempXB)  =  n)  — > 

XB[iA]  :=  tempXB; 

CAB[iA]  :=  tempCAB; 

U  •=  iA  +  1 

[]  (/((tempCAB,tempXB)  ^  n)  — >  skip 

fi 

□  A2 : :  timeout 

(XA[iA]  #1a  ch.A.B  =  ( )  a  ch.B.A  =  <>)  -> 

send  m0(XA[iA]  +  /i(XA[iA-l  |.B).hXA)  to  B 

end 

process  B 

inp  CB  :  integer 

var  k,  n,  iB,  hYB,  tempYA  :  integer,  {initially,  iB  =  1 } 

Ya,  Yb,  Cba  :  array  [integer]  of  integer 

{initially, Ya[0]=Xa[0],Yb[0]=Xb[0],Cab[0]=Cba[0]=/(Xa[0],  Xb[0]), 
YA[iJ=YB[i]=CBA[ij=  1  for  all  i  £  iB} 

begin 

B0  ::  rev  m0(k,n)  from  A  — >  tempYA  :=  k  —  /?( YA[i F!- 1  |.B); 

if(/i(CBA[iB- 1  ]  ,temp Y A)  =  n)  -» 

YA[iB]  :=  tempYA; 

YB[iB]  :=  rand( ); 

CBA[iB]  :=/( YA[iB],  YB[iB]); 
hYB:=/z(YB[iB-l],A); 

send  rnKYuM+hYu^CCBAtiB],  YB[iB]))  to  A; 
iB  •=  iB  +  1 

□  (/?(CBA[iB- 1 J  ,tempY A)  *  n)  -> 
tempYA  k  -  /i(YA[iB-2],B); 
if(/i(CBA[iB-2],  tempYA)  =  n) 
send  mi(YB[iB-lj+hYB,/z(CBA[iB-l],  YB[iB-l]))  to  A 
□  (/i(CBA[iB-2],  tempYA)  n)  skip 
fi 


5.  Proofs  of  Security  and  Fault-tolerance  Properties 
5.1  Proof  of  Security  Properties 

The  assumption  for  this  proof  is,  h  is  a  pre-image  resistant  hash  function,  i.e.  it  is 
computationally  infeasible  to  find  any  pre-image  x  such  that  /;(x)  =  y  when  given 
any  y  for  which  a  corresponding  input  is  not  known. 
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Informally,  the  SPEC  of  Whisper  (consisting  of  processes  A  and  B)  is  that  not 
only  the  values  of  XA[i],  YB[i],  CBA[i]  and  CAB[iJ  are  kept  secret  but  also  an 
intruder  cannot  affect  the  values  of  YA[i]  and  XB[i].  The  latter  can  be  reduced  to 
one  which  says  that  for  all  i,  corresponding  values  of  XA[i]  in  A  and  YA[i]  in  B, 
and  XB[i]  in  A  and  YB[i]  in  B  do  match.  Formally, 

SPEC  =  {XA[iA],  YB[iB],/(YA[iB],  YB[iB]),/(XA[iA],  XB[iA])}  fl  analz(M)  =  ® 

A  C(XA[iA]  *  i  A  YA[iB]  *  1 A  iA  =  iB)  =>  (XA[iA]  =  YA[iB])) 

A  C(XB[iA]  *  1  a  YB[iB]  *  1 A  iA  =  iB)  =>  (XB[iA]  =  YB[iB])) 
where  M  is  the  set  of  messages  principals  A,  B  exchange  over  the  channels 
ch.A.B  and  ch.B.A. 

The  critical  variables  C  of  Whisper  are  XA,  XB,  YA,  YB,  iA  and  iB.  Recall  that 
Whisper  starts  in  a  state  where  (iA  =  iB  =  0  a  XA[iA]  =  YA[iB]  a  XB[iA]  =  YB[iB]) 

Lemma  1:  The  invariant  S  of  Whisper  is  S0  S\  S2,  where 

50  =  (XA[iA-lj  =  YA[iB-l])  a  (XB[iA-l]  =  YB[iB-l]) 

a  (XA[iA]  *  1)  a  (YA[iB]  =  XB[iA]  =  YB[iB]  =  1) 
a  (iA  =  iB) 

a  (ch.A.B  =  (m0(XA[iA]+/r(XA[iA-l ],B),  /t(CAB[iA-l],  XA[iA]))» 
a  (ch.B.A  =  (  » 

51  s  (XA[iA-lj  =  YA[iB-2])  a  (XB[iA-l j  =  YB[iB-2]) 

a  (XA[iA]  =  YA[iB-lj)  a  (XB[iA]  =  1)  a  (YB[iB-lJ  *1) 
a  (YA[iB]  =  YB[iB]  =  1) 
a  (iA  =  iB  -  1) 

a  (ch.B.A  =  <m,(YB[iB-l]+  /r(YB[iB-2],A),  /r(CBA[iB-l],  YB[iB-l]))» 
a  (ch.A.B  =  < )) 

52  =  (XA[iA-l]  =  YA[iB-l])  a  (XB[iA-lJ  =  YB[iB-lJ) 

a  (XA[iAJ  =  YA[iB]  =  XB[iA]  =  YB[iB]  =  1) 
a  (iA  =  iB) 
a  (ch.A.B  =  ( )) 
a  (ch.B.A  =  ()) 

Note  that  state  predicates  So,  Si  and  S2  are  mutually  exclusive. 

Proof:  S2  holds  in  the  initial  state.  In  the  following  table,  we  enumerate  each  state 
predicate  of  Whisper ,  all  actions  that  are  enabled  in  that  state  predicate  and  the 
state  predicate  resulting  from  the  execution  of  those  actions. 


Current  State 

Action 

Next  State 

So 

Bo 

Si 

s, 

Ai 

s2 

s2 

Ao 

So 

Let  T  =  T0  a  T\  be  the  fault  span  state  predicate,  where 

T0  s  (m0(k,n)#ch.A.B  >  1  a  /z(CBA[iB-l],k-/z(YA[iB-l],B))  =  n)  => 


(k-/i(YA[iB-lJ,B)  =  XA[iA]  AiA  =  iB) 

7',  =  (mi(k,n)#ch.B.A  >  1  a  /j(C',k-/i(XB[iA-l],B))  =  n)  => 

(k-/i(XB[iA-l],B)  =  YbPb-IJ  AiA  =  iB- 1) 
where  C  =  /(XA[iA],  k-/i(XB[iA-l],B)) 

Note  that,  T0  and  7)  cannot  both  hold  non- vacuously  in  any  state  due  to  the 
conditions  on  the  values  of  variables  iA  and  iB.  Hence  given  T  is  true  in  a  state  and 
To  is  holding  non- vacuously,  then  T \  must  be  holding  vacuously.  In  that  case  we 
write  To  a  Tl.  Similarly,  given  T  is  true  in  a  state  and  T\  is  holding  non- vacuously, 
then  T0  must  be  holding  vacuously.  In  that  case  we  write  T0  a  Ti. 

Lemma  2:  S  =>  T 

Proof:  In  So,  there  is  one  message  in  ch.A.B  which  satisfies  T0.  Channel  ch.B.A  is 
empty,  hence  T\  is  vacuously  true.  In  Si,  there  is  one  message  in  ch.B.A  which 
satisfies  T\.  Channel  ch.A.B  is  empty,  hence  70  is  vacuously  true.  In  S2,  both  the 
channels  ch.A.B  and  ch.B.A  are  empty;  hence  T0  and  T\  are  vacuously  true. 
Therefore,  S  =>  T.  m 

Lemma  3:  T  is  closed  in  Whisper 

Proof:  T  holds  in  the  initial  state  when  there  are  no  messages  in  the  channels. 


Current  State 

Action 

Next  State 

T 

A(),A2 

To  a  T\ 

To  a  Ti 

Bo 

To  a  Ti 

To  a  Ti 

Ai 

T 

Lemma  4:  T  is  closed  in  F,  where  F  is  the  set  of  intruder’s  actions  as  modeled  in 
Section  2.2 

Proof:  Interception  and  replay  actions  do  not  violate  the  state  predicate  T.  The 
case  of  pre-play  of  message  needs  to  be  verified.  Let  us  consider  any  two 
consecutive  sessions  of  Whisper.  In  the  (iA)th  session,  results  of  applying  analz, 
operator  to  messages  m0  and  m,  are 

analzi m0)  =  {A,  B,  XA[iA]  +  /z(XA[iA-l],B),  /?(CAB[iA-l],  XA[iA])} 
crnalzd nf)  =  {A,  B,  YB[iB]  +  /i(YB[iB-l],A),  /r(CBA[iB],  YB[iBJ)}. 

XA[iA] ,  YB[iB]  and  CBA[iB]  appear  in  parts  of  any  message  for  the  first  time  in  this 
session.  Still  XA[iA]  g  analzi  mo,  miX  YB[iB]  g  analzi  m0,  mi)  and 
CBA[iB]  g  analzi m0,  mi). 

Similarly  in  the  (iA+l)th  session,  results  of  applying  analz  operator  to  messages  m0' 
and  m/  are 

analzim')  =  {A,  B,  XA[iA+l]  +  /?(XA[iA],B),  /j(CAB[iA],  XA[iA+l])} 
analz,ivft\')  =  {A,  B,  YB[iB+l]  + /?(YB[iB],A),  /j(CBA[iB+l],  Y B[iB+ 1  ] ) } . 

XA[iA]  g  analzimo',  m/),  YB[iB]  g  analzimQ',  m/)  and  CAB[iA]  g  analzi  mo',  m/). 
Hence  neither  key-parts  nor  key  are  revealed  in  any  of  the  messages. 
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Since  {x  +  /i(XA[iA],B),  /? (C A u [ iA] , x ) }  €  fake{m0,mumo)  such  that  x  ^ 
XA[iA+l],  an  intruder  cannot  synthesize  a  new  message  mo'  that  violates  T0. 
Similarly  since  {y  +  /7(YB[iB],A),  /i(C',y)}  g  fake( mo,mi,mo',mi'))  such  that  y  ^ 
Y|5fi|s+ 1 1  and  C'  =  /(XA[iA],  y),  an  intruder  cannot  synthesize  a  new  message  m/ 
that  violates  Tl.  Therefore  T  is  closed  in  F.  m 


Lemma  5:  The  critical  variables  C  of  Whisper  are  protected  inside  T 
Proof:  In  the  following  table,  we  enumerate  each  state  predicate  of  Whisper  in  the 
presence  of  an  intruder,  the  state  of  the  critical  variables,  an  action  that  is  enabled 
in  that  state  of  Whisper,  the  state  predicate  resulting  from  the  execution  of  that 
action  and  the  state  of  the  critical  variables  in  the  resulting  state,  (n/a  implies  that 
Current  state  Critical  Variables  =  false)  e.g.  When  the  current  state  of  Whisper  is 
To  a  Ti,  iA  is  equal  to  iB  -  1  and  when  the  state  of  the  critical  variables  is  So,  iA  is 
equal  to  iB.  Hence  the  critical  variables  cannot  be  in  state  S0  when  Whisper  is  in 
state  T0aTi. 


Current  State 

Critical 

Variables 

Action 

Next  State 

Critical 

Variables 

To  a  Ti 

So 

Bo 

To  a  Ti 

Si 

To  a  Ti 

So 

n/a 

n/a 

n/a 

T 

So 

A, 

To  a  Ti 

So 

To  a  Ti 

Si 

n/a 

n/a 

n/a 

T0  a  Ti 

Si 

A] 

T 

s2 

T 

Si 

A2 

T 

Si 

To  a  Ti 

S2 

n/a 

n/a 

n/a 

To  a  Ti 

s2 

n/a 

n/a 

n/a 

T 

S2 

A0 

To  a  Ti 

So 

Theorem  1:  Whisper  is  F -secure  for  SPEC  in  C  from  S 

Proof:  It  follows  from  Lemmas  1-5  and  the  definition  of  security.  ■ 

Corollary  1.1:  «XA[iA]  *  1  a  YA[iB]  *  1  a  iA  =  iB)  =>  (XA[iA]  =  YA[iB]» 
a  ((XB[iA]  *  1  a  YB[iB]  *  1  a  iA  =  iB)  =>  (XB[iA]  =  YB[iB])) 

Proof:  From  Theorem  1  and  the  protection  condition,  for  each  state  t  (where  T  is 
true)  in  the  computation  of  Whisper  there  exists  a  state  ,v  in  S  such  that  t\c  =  .vie.  I 
Since  ((X A[i A]  *  1  a  YA[iB]  *  JL  a  iA  =  iB)  =>  (XA[iAJ  =  YA[iB])) 

A  ((XB[iA]  *  I  a  YB[iB]  *  1  a  iA  =  iB)  =>  (XB[iAJ  =  YB[iB]))  holds  in  S,  it 
holds  in  T.  m 

We  recall  the  definitions  of  backward  and  forward  secrecy  [10].  Backward 
secrecy  guarantees  that  a  passive  adversary  who  knows  a  contiguous  subset  of 
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secrets  cannot  discover  preceding  secrets.  Forward  secrecy  guarantees  that  a 
passive  adversary  who  knows  a  contiguous  subset  of  old  secrets  cannot  discover 
subsequent  secrets. 

Theorem  2:  Whisper  provides  backward  secrecy 

Proof:  Let  m0i,  mu  be  the  messages  exchanged  by  A  and  B  during  ith  session  of 
Whisper. 

analz( m0l)  =  {A,  B,  XA[i]  +  /i(XA[i-l],B),  /t(CAB[i-l],  XA[i])}, 
analzi mu)  =  {A,  B,  YB[i]  +  /i(YB[i-l],A),  *(CBA[i],  YB[iJ)} 

Let  us  assume  adversary  knows  the  secrets  starting  from  the  Klh  session  up  to  Mlh 
session  and  i  =  K-l. 

From  the  proof  of  Lemma  4,  XA[i]  g  analz{ m0i,  mi,),  Y B[i]  g  analz(mQi,  m n), 
XA[i]  g  analz{ mo,+i,  m  i ,  + 1 )  and  YB[i]  g  analz( m0i+i,  mn+i).  From  protocol  actions, 
(Vj  :  j  <  K  -  1:  XA[i]  g  analz{ m0j,  m  i,)  and  YB[i]  g  analz( m0j,  my)).  Also  (Vj  :  K 

<  j  <  M:  XA[i]  g  analzi moj,  mij,CAB[j])  and  YB[i]  g  analz( m0j,  mij,CAB[j])). 

Hence  the  (K-l)th  secret  is  not  revealed.  Using  induction  on  i  (for  all  i  <  K  -  2), 
secrets  for  all  the  sessions  less  than  K  are  not  revealed.  ■ 

Theorem  3:  Whisper  provides  forward  secrecy  if  function /is  one-way 

Proof:  Let  m0i,  mu  be  the  messages  exchanged  by  A  and  B  during  ith  session  of 

Whisper. 

analzt m0l)  =  { A,  B,  XA[i]  +  /r(XA[i- 1  ],B),  /t(CAB[i-l],  XA[i])} 
analz{ mu)  =  { A,  B,  YB[i]  +  /i(YB[i-l],A),  /t(CBA[i],  YB[i])} 

Let  us  assume  adversary  knows  the  secrets  starting  from  the  Kth  session  up  to  Mth 
session  and  i  =  M  +  1. 

Since  /  is  one-way,  XA[i]  g  analz( CAB[i])  and  YB[iJ  g  anofe(CAB[i]).  From  the 
proof  of  Lemma  4,  XA[i]  g  analz( m0l,  mi,),  YB[i]  g  analz( m()i,  mi,),  XA[i]  g 
analz( m0i+i,  mn+i)  and  Y B[iJ  g  analzi m0i+i,  mi  i+i).  From  protocol  actions,  (Vj  :  j 
>  M  +  2  :  XA[i]  g  analz( m0j,  my)  and  YB[i]  g  analz( m0j,  mij)).  Also  (Vj  :  K  <  j 

<  M:  XA[i]  g  analz( m()j,  mij,CAB[j])  and  YB[i]  g  analz( m0j,  mij^^fj])).  Hence 

the  (M+l)th  secret  is  not  revealed.  Using  induction  on  i  (for  all  i  >  M  +  2),  secrets 
for  all  the  sessions  greater  than  M  are  not  revealed.  ■ 

For  reasons  of  space,  we  omit  the  proof  of  liveness  of  Whisper  in  the  presence  of 
an  intruder. 


5.2  Proof  of  Fault-Tolerance  Properties 

Theorem  4:  Principals  A  and  B  are  never  out  of  synchronization  by  more  than  one 
session 

Proof:  From  Theorem  1  and  the  protection  condition,  for  each  state  t  (where  T  is 
true)  in  the  computation  of  Whisper  there  exists  a  state  s  in  S  such  that  t\c  =  ,vl c.  In 
T,  (iA  =  iB)  v  (iA  =  iB  -  1).  Therefore,  for  each  state  t  (where  T  is  true)  in  the 
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computation  of  Whisper,  (iA  =  i  b)  v  (iA  =  iB  -  1).  Therefore  principals  A  and  B  are 
never  out  of  synchronization  by  more  than  one  session.  ■ 

The  implication  of  Theorem  4  is  that  it  is  sufficient  for  a  principal  to  remember 
the  secrets  of  at  the  most  two  consecutive  sessions.  Hence  the  infinite  arrays  XA, 
XB,  Cab  in  process  A  can  be  replaced  by  arrays  with  two  values  each  and  integer 
variable  iA  by  single  digit  binary  number.  Similarly  for  variables  YA,  YB,  CBAand 
iB  of  process  B. 

The  next  theorem  deals  with  the  ability  of  Whisper  to  recover  to  its  invariant  S 
upon  corruption  of  all  variables  of  A  and  B,  except  for  variables  XA,  YA,  XB,  YB, 
iA  and  iB,  without  compromising  security. 

Thorem  5:  Whisper  is  self-stabilizing  to  S  with  respect  to  arbitrary  corruption  of 
all  variables  of  A  and  B,  except  for  variables  XA,  YA,  XB,  YB,  iA  and  iB 
Proof:  From  Theorem  1,  Whisper  is  F-secure  for  SPEC  in  C  from  S.  The  only 
variables  of  A  and  B  in  the  state  predicate  T  are  XA,  YA,  XB,  YB,  iA  and  iB.  The 
values  of  all  the  other  variables  which  we  can  call  “corruptible”  can  be  arbitrary. 
The  corruption  of  corruptible  variables  does  not  violate  T.  Therefore  Whisper  is 
still  F-secure  for  SPEC  in  C  from  S. 

All  the  corruptible  variables  except  for  those  used  as  cache  for  optimization, 
such  as  hXA,  are  calculated  afresh  during  all  the  executions  of  every  action  of 
Whisper.  The  variable  hXA  stores  the  value  /i(CAp,[i ,\  -1],  XA[i  A]),  which  is  used 
across  two  actions  A0  and  A2.  To  guarantee  liveness  of  Whisper,  we  can 
periodically  recalculate  hXA  using  current  values  of  CAB[iA  -1J  and  XA[iA]  which 
are  not  corrupted.  This  would  guarantee  liveness  of  Whisper.  Hence  Whisper  is 
self-stabilizing  to  the  corruption  of  all  the  variables  inside  the  principals  except  for 
XA,  Ya,  Xb,  Yb,  iA  and  iB.  ■ 


The  corruptible  variables  can  be  kept  in  volatile  memory  of  a  principal  while  all 
the  other  variables  are  kept  in  non-volatile  memory. 


6.  Bootstrapping  the  Initial  Secret 

The  initial  secret  between  A  and  B  can  be  bootstrapped  using  a  variety  of  methods 
depending  upon  the  level  of  initial  trust  in  the  network  and  the  level  of  efficiency 
required.  Efficiency  is  directly  proportional  to  the  initial  trust  in  the  network.  In 
case  of  no  initial  trust  in  the  network,  a  base  station  (principal  SB)  serves  as  a 
trusted  authority  used  to  bootstrap  the  initial  secret  (Multiple  base  stations  can  be 
deployed  for  load  balancing  purposes).  SB  shares  a  secret  Cu  with  every  principal 
U  in  the  network,  e.g.  SB  shares  secrets  CA  and  CB  with  A  and  B  respectively. 
When  A  wishes  to  establish  a  secret  with  B,  it  contacts  SB.  SB  replies  with  the 
two  key-parts  XA[0],  YB[0].  A  can  compute  XA[0]  by  itself  and  retrieve  YB[0] 
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from  the  reply.  Similarly,  B  can  compute  YB[0]  by  itself  and  retrieve  XA[0]  from 
the  reply.  Hence  both  of  them  can  compute  the  initial  shared  secret  CAb[0]. 

A  — >  SB  :  B,  h  (CA,  A,  B) 

SB  — >  A,  B  :  XA[0]  +  YB[0],  h  (XA[0]),  h  (YB[0]) 

where  XA[0J  =  h  (CA,  B);Yb[0J  =  h  (CB,  A);  Cab[0]  =/(Xa[0],  Yb[0]) 

In  case  of  perfect  initial  trust  in  the  network,  we  can  more  efficiently  bootstrap 
the  secrets.  All  nodes  can  be  provided  with  a  common  secret  that  has  a  limited 
lifetime  tp,  such  that  once  tp  expires  a  principal  will  no  longer  remember  that 
secret.  During  tp,  this  common  secret  is  used  to  initialize  the  two  key-parts.  Once 
tp  has  elapsed,  any  new  principal  joining  the  network  has  to  resort  to  the  base 
station  for  initiating  communication  with  other  principals.  The  assumption 
underlying  this  optimization  is  that  during  tp,  all  principals  are  non-malicious. 

In  case  of  partial  initial  trust  in  the  network  a  scheme  such  as  key  trees  [8]  can 
be  used.  Given  is  a  tree  of  keys  such  that  each  principal  is  associated  with  a  leaf 
node  and  it  knows  all  the  keys  that  are  in  the  path  from  this  leaf  to  the  root  of  the 
tree.  A  and  B  will  use  the  first  key  that  they  share  starting  from  the  bottom  of  the 
tree  as  their  initial  key-parts.  This  is  more  efficient  than  using  a  base  station  but 
less  efficient  than  using  a  single  secret  all  over  the  network. 


7.  Defending  against  Denial-of-Service  Attacks 
7.1  Denial-of-Service  Attacks 

Sensor  networks  with  constrained  resources  are  especially  vulnerable  to  attacks 
that  waste  their  resources.  For  example,  in  the  bootstrapping  protocol  described 
above  where  there  is  a  unique  secret  per  node,  an  intruder  E  can  easily  replay  old 
request  messages  of  A  and  not  only  force  the  base  station  to  send  replies  but  also 
force  A  and  B  to  switch  to  the  initial  secret;  this  would  waste  resources  of  A  and  B 
(as  they  have  to  form  and  remember  the  secret)  and  the  base  station.  Similarly, 
during  secret  update  an  intruder  can  replay  the  old  messages  of  A  to  force  B  to 
send  the  corresponding  replies;  this  would  force  B  to  waste  its  energy  on  sending 
reply  messages.  These  cases  apply  even  when  E  may  not  be  a  part  of  the  network, 
i.e.  it  does  not  even  have  CE- 

Sometimes  a  principal  is  compromised,  and  its  secrets  are  disclosed.  In  this 
case,  E  can  create  authenticated  messages.  In  bootstrapping,  such  an  intruder  can 
create  valid  request  messages  and  during  secret  update  it  can  send  malicious 
update  messages  just  to  waste  resources  of  the  participating  nodes. 
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7.2  Measures  against  Denial-of-Service  Attacks 

Since  communication  is  radio-based,  a  node  has  to  listen  to  all  the  messages  in  its 
receiving  range,  even  if  they  are  from  malicious  nodes.  Hence  measures  need  to  be 
taken  to  identify  and  entertain  only  genuine  messages  using  less  energy.  For 
defending  against  denial-of-service  attacks,  we  present  an  enhanced  version  of  the 
bootstrapping  and  secret  update  protocols. 

A  notion  of  count  is  introduced  in  each  process.  Every  process  has  an  internal 
counter,  which  is  incremented  at  least  once  after  any  program  action  is  executed. 
Each  process  maintains  its  current  knowledge  of  the  counter  values  of  all  other 
processes  it  is  communicating  with. 

Bootstrapping  Initial  Secret 

A  — »  SB  :  B,  tA,  h  (Ca,  A,  B  ,tA) 

SB  — >  A,  B  :  ts,  XA[0]  +  XB[0],  h  (ts,  XA[0]),  h  (ts,  XB[0]) 

where  tA,  ts  are  current  values  of  counters  in  A  and  SB  respectively; 

XA[0]  =  h  (CA,  B,  ts)  ;  XB[0]  =  h  (CB,  A,  ts) ;  Cab[0]  =/(Xa[0],  Xb[0J) 

Secret  Update 

A  — >  B  :  tA,  XA[iJ  +  h  (XA[i-l],  B),  h  (CAB[i-lJ,  XA[i],  tA) 

B  — >  A  :  tB,  XB[i]  +  h  (XB[i- 1  ],  A),  h  (CAB[i],  XB[i],  tB) 

where  tA,  tB  are  current  values  of  counters  in  A  and  B  respectively; 

XA[iJ  =  randi )  ;  XB[i]  =  rand{ )  ;  CAB[i]  =/(XA[i],  XB[i]) 

The  enhanced  version  described  above  handles  denial-of-service  attacks  via 
four  mechanisms,  viz.,  self-authorizing  request  messages  [16],  synchronization, 
asymmetry  in  resource  expenditure,  and  caching  of  computationally  expensive 
messages  [16].  The  last  two  are  especially  important  in  case  an  intruder  is  a 
compromised  node.  Below  we  offer  an  intuitive  explanation  of  the  use  of  these 
mechanisms: 

1 .  Each  message  contains  an  authentication  of  its  sender.  While  bootstrapping 
the  secrets,  requester  A  uses  CA  and  the  base  station  uses  CA  and  CB  to 
authenticate  the  requests.  In  case  of  secret  update,  requester  A  uses  CAB[i-l] 
for  authentication.  The  receiver  expends  resources  only  when  a  request  is 
authentic.  Hence  an  intruder  can  form  an  attack  only  if  it  sends  authentic 
request  messages.  Since  the  secrets  are  not  leaked  to  an  intruder,  it  can  only 
replay  authentic  messages,  which  is  handled  by  (2). 

2.  Each  fresh  authentic  message  contains  a  sequence  number  which  is  greater 
than  that  in  the  previous  authentic  message.  The  receiver  records  the 
sequence  number  in  the  last  authentic  message  from  the  sender.  The 
receiver  detects  the  replay  of  a  message  if  it  contains  a  sequence  number 
less  than  or  equal  to  that  in  record,  in  which  case  it  discards  the  replayed 
message.  For  example,  in  bootstrapping,  an  intruder  cannot  replay  the  base 
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station’s  messages  to  force  A  and  B  to  revert  to  the  initial  secret.  Similarly, 
in  secret  update,  an  intruder  cannot  replay  A’s  messages  to  force  B  to  send 
reply  messages  again. 

3.  One  way  to  discourage  denial-of-service  attacks  is  to  force  an  intruder  to 
expend  more  resources  compared  to  benign  nodes  for  establishing  and 
maintaining  malicious  sessions.  This  is  especially  useful  when  the  intruder 
is  a  compromised  node  and  can  create  authentic  messages.  Note  that  in  both 
secret  bootstrap  and  update,  an  intruder  at  a  compromised  node  has  to  do 
more  work  than  benign  nodes  to  force  them  to  maintain  sessions  with  it. 
This  would  deplete  the  resources  of  the  malicious  node. 

4.  Resending  requests  and  responses  causes  a  principal  to  waste  a  lot  of 
resources,  if  it  has  to  compute  them  repeatedly.  In  Whisper,  A  reuses  the 
value  XA[i]  +  /i(XA[i-l],  B)  in  request  if  it  has  to  send  the  request  again.  B 
can  also  reuse  the  value  XB[i]  +  /?(XB[i-l],  A)  in  corresponding  response. 
Hence  both  A  and  B  can  cache  results  of  the  previously  computed  values 
which  saves  them  energy  when  they  are  forced  to  re-send  the  same 
messages  e.g.  due  to  scrupulous  collisions  or  due  to  a  compromised  node. 


8.  Related  Work  and  Concluding  Remarks 

The  literature  on  secret  agreement  is  extensive,  and  we  will  not  attempt  to  be 
comprehensive  in  this  compilation  of  related  work.  Instead,  we  will  discuss  works 
that  most  directly  influenced  ours  or  are  representative  of  existing  ideas. 

Secret  agreement  using  asymmetric  cryptography  has  a  long  history  in  the 
context  of  network  protocols  for  telecommunication  networks.  Diffie-Hellman  [3], 
RSA  [15]  and  ElGamal  [5]  are  prominent  examples.  Other  related  work  deals  with 
secret  agreement  in  mobile  ad-hoc  networks,  such  as  Balfanz  et  al.  [1J  and  Hubaux 
et  al.  [9];  these  works  also  use  asymmetric  cryptography  while  we  use  the  less 
expensive  symmetric  cryptography. 

Perrig  et  al.  [14]  recently  proposed  SPINS,  which  has  two  building  blocks 
SNEP  and  uTcsIa.  SNEP  provides  data  confidentiality,  two-party  data 
authentication,  and  data  freshness,  and  p,  Tesla  provides  efficient  broadcast 
authentication.  SPINS  does  not  deal  with  secret  maintenance,  and  in  this  regard  it 
can  be  used  in  combination  with  Whisper.  SPINS  does  however  provide  -just  as 
we  did-  a  way  to  bootstrap  the  initial  secret  between  two  neighboring  nodes  using 
a  base  station  as  a  trusted  agent.  However,  it  does  not  deal  with  the  denial-of- 
service  attack  of  a  malicious  node  sending  spurious  key  request  messages  (a 
malicious  node  can  forge  a  new  request  message  in  SPINS).  Also,  Whisper  does 
not  require  real-time  synchronization  in  contrast  to  SPINS. 

In  conclusion,  secret  agreement  establishment  and  maintenance  in  a  large-scale 
resource-constrained  sensor  has  requirements  that  are  not  met  by  classical  secret 
agreement  protocols.  To  the  best  of  our  knowledge,  Whisper  is  the  first  piece  of 
work  in  which  neighboring  node-to-node  local  secret  maintenance  with  the 
property  of  forward  secrecy  is  achieved  using  session  keys  only. 
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